Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in
at 2025-08-01 22:40:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new.1944 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Fri Aug 1 22:40:03 2025 rev:130 rq:1296812 version:16.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2025-07-26
13:39:50.665597991 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.1944/shim.changes 2025-08-01
22:40:04.872183856 +0200
@@ -1,0 +2,33 @@
+Thu Jul 31 12:47:58 UTC 2025 - Joey Lee <j...@suse.com>
+
+- Add shim-disable-dxe-get-mem-attrs.patch
+ - On old edk2-stable202308 ovmf, running dxe_get_mem_attrs() causes
+ get_hsi_mem_info() confusion on hsi_status. It looks that hsi_status
+ has a copy after running dxe_get_mem_attrs(). Those elements in
+ hsi_nx_is_enforced(), HEAPX|STACKX|ROW can NOT set into hsi_status.
+ Let's disabling the approach of DXE get memory attributes until
+ we found the root cause.
+ (bsc#1247432)
+
+-------------------------------------------------------------------
+Mon Jul 28 16:25:46 UTC 2025 - Joey Lee <j...@suse.com>
+
+- Removed pre script in shim package for checking UEFI db has valid key
+ for shim because it will interrupt group update of RPMs. It should be
+ moved to %pretrans and re-written by lua.
+
+-------------------------------------------------------------------
+Sun Jul 27 04:48:57 UTC 2025 - Joey Lee <j...@suse.com>
+
+- Add pre script to shim package for checking UEFI db has valid key for shim.
+ It prevents that SUSE shim be installed on a machine which can no verify
+ and boot with it when secure boot is enabled.
+ User can still install shim success when secure boot is disabled even no
+ valid key in UEFI db. User should aware that shim can not be boot when
+ secure boot is enabled.
+ This checking will useful for changing Microsoft or SUSE CA in the future.
+ The shim be signed by new MS/SUSE key will NOT be installed on a machine
+ which does not have new key in UEFI db when secure boot is enabled. It
+ can prevent booting fail after shim package is updated.
+
+-------------------------------------------------------------------
New:
----
shim-disable-dxe-get-mem-attrs.patch
----------(New B)----------
New:
- Add shim-disable-dxe-get-mem-attrs.patch
- On old edk2-stable202308 ovmf, running dxe_get_mem_attrs() causes
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.OElzMU/_old 2025-08-01 22:40:05.996230681 +0200
+++ /var/tmp/diff_new_pack.OElzMU/_new 2025-08-01 22:40:05.996230681 +0200
@@ -52,8 +52,10 @@
# with the signature from the UEFI signing service.
# Note: For signature requesting, check SIGNATURE_UPDATE.txt
Source1: signature-opensuse.x86_64.asc
+# openSUSE Secure Boot CA, 2013-2035, PEM format
Source2: openSUSE-UEFI-CA-Certificate.crt
Source3: shim-install
+# SUSE Linux Enterprise Secure Boot CA, 2013-2035, PEM format
Source4: SLES-UEFI-CA-Certificate.crt
Source5: extract_signature.sh
Source6: attach_signature.sh
@@ -97,6 +99,8 @@
Patch5: shim-alloc-one-more-byte-for-sprintf.patch
# PATCH-FIX-UPSTREAM shim: change automatically enable MOK_POLICY_REQUIRE_NX
(PR #761)(bsc#1205588) - j...@suse.com
Patch6: shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch
+# PATCH-FIX-SUSE shim-disable-dxe-get-mem-attrs.patch bsc#1247432
j...@suse.com -- Disable DXE approach for getting memory attributes approach
+Patch7: shim-disable-dxe-get-mem-attrs.patch
BuildRequires: dos2unix
BuildRequires: efitools
BuildRequires: mozilla-nss-tools
++++++ shim-disable-dxe-get-mem-attrs.patch ++++++
Index: shim-16.0/memattrs.c
===================================================================
--- shim-16.0.orig/memattrs.c
+++ shim-16.0/memattrs.c
@@ -459,6 +459,11 @@ get_hsi_mem_info(void)
hsi_status |= SHIM_HSI_STATUS_HASMAP;
}
+ if (!(hsi_status & SHIM_HSI_STATUS_HASMAP)) {
+ dprint(L"No memory protocol, not testing further\n");
+ return;
+ }
+
get_dxe_services_table(&dst);
if (dst) {
dprint(L"Setting HSI from %a to %a\n",
